CVE-2009-0784: SystemTap Race Condition

SystemTap is a known utility for system administration on Linux. It is included in numerous popular Linux distributions and it’s being used by a lot of people. This bug was patched by Євгеній Мещеряков but I’m not sure if he is the one who discovered it at first place. The code presented here is from the latest release of SystemTap which is 0.9 (the patch was performed on the snapshotbuild).

So… this looks like “I’ll anything to avoid a TOCTOU bug” to me. This function which can be found at runtime/staprun/staprun_funcs.c and it checks the module path against various conditions but a race window is still there. This function is being called by check_permissions() which is then invoked by the main() function. The problem of the above code is between lines 267 and 275. modpath after line 267 should contain module_realpath which is later used (line 284) and which is also used to load the module path. These two variables should contain the same pointer but the above code leaves an inconsistent state between them since modpath is not being updated. Here is the patch to avoid this inconsistency: